Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
why3
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
113
Issues
113
List
Boards
Labels
Milestones
Merge Requests
13
Merge Requests
13
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Why3
why3
Commits
a8c13660
Commit
a8c13660
authored
Feb 13, 2014
by
Jean-Christophe Filliâtre
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
update proof session
parent
54f0afbe
Changes
3
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
41 additions
and
414 deletions
+41
-414
examples/vstte12_two_way_sort/vstte12_two_way_sort_WP_TwoWaySort_WP_parameter_two_way_sort_1.v
..._two_way_sort_WP_TwoWaySort_WP_parameter_two_way_sort_1.v
+0
-191
examples/vstte12_two_way_sort/vstte12_two_way_sort_WP_TwoWaySort_WP_parameter_two_way_sort_2.v
..._two_way_sort_WP_TwoWaySort_WP_parameter_two_way_sort_2.v
+0
-161
examples/vstte12_two_way_sort/why3session.xml
examples/vstte12_two_way_sort/why3session.xml
+41
-62
No files found.
examples/vstte12_two_way_sort/vstte12_two_way_sort_WP_TwoWaySort_WP_parameter_two_way_sort_1.v
deleted
100644 → 0
View file @
54f0afbe
(
*
This
file
is
generated
by
Why3
'
s
Coq
driver
*
)
(
*
Beware
!
Only
edit
allowed
sections
below
*
)
Require
Import
ZArith
.
Require
Import
Rbase
.
Definition
unit
:=
unit
.
Parameter
qtmark
:
Type
.
Parameter
at1
:
forall
(
a
:
Type
),
a
->
qtmark
->
a
.
Implicit
Arguments
at1
.
Parameter
old
:
forall
(
a
:
Type
),
a
->
a
.
Implicit
Arguments
old
.
Definition
implb
(
x
:
bool
)
(
y
:
bool
)
:
bool
:=
match
(
x
,
y
)
with
|
(
true
,
false
)
=>
false
|
(
_
,
_
)
=>
true
end
.
Inductive
ref
(
a
:
Type
)
:=
|
mk_ref
:
a
->
ref
a
.
Implicit
Arguments
mk_ref
.
Definition
contents
(
a
:
Type
)(
u
:
(
ref
a
))
:
a
:=
match
u
with
|
(
mk_ref
contents1
)
=>
contents1
end
.
Implicit
Arguments
contents
.
Parameter
map
:
forall
(
a
:
Type
)
(
b
:
Type
),
Type
.
Parameter
get
:
forall
(
a
:
Type
)
(
b
:
Type
),
(
map
a
b
)
->
a
->
b
.
Implicit
Arguments
get
.
Parameter
set
:
forall
(
a
:
Type
)
(
b
:
Type
),
(
map
a
b
)
->
a
->
b
->
(
map
a
b
).
Implicit
Arguments
set
.
Axiom
Select_eq
:
forall
(
a
:
Type
)
(
b
:
Type
),
forall
(
m
:
(
map
a
b
)),
forall
(
a1
:
a
)
(
a2
:
a
),
forall
(
b1
:
b
),
(
a1
=
a2
)
->
((
get
(
set
m
a1
b1
)
a2
)
=
b1
).
Axiom
Select_neq
:
forall
(
a
:
Type
)
(
b
:
Type
),
forall
(
m
:
(
map
a
b
)),
forall
(
a1
:
a
)
(
a2
:
a
),
forall
(
b1
:
b
),
(
~
(
a1
=
a2
))
->
((
get
(
set
m
a1
b1
)
a2
)
=
(
get
m
a2
)).
Parameter
const
:
forall
(
b
:
Type
)
(
a
:
Type
),
b
->
(
map
a
b
).
Set
Contextual
Implicit
.
Implicit
Arguments
const
.
Unset
Contextual
Implicit
.
Axiom
Const
:
forall
(
b
:
Type
)
(
a
:
Type
),
forall
(
b1
:
b
)
(
a1
:
a
),
((
get
(
const
(
b1
)
:
(
map
a
b
))
a1
)
=
b1
).
Inductive
array
(
a
:
Type
)
:=
|
mk_array
:
Z
->
(
map
Z
a
)
->
array
a
.
Implicit
Arguments
mk_array
.
Definition
elts
(
a
:
Type
)(
u
:
(
array
a
))
:
(
map
Z
a
)
:=
match
u
with
|
(
mk_array
_
elts1
)
=>
elts1
end
.
Implicit
Arguments
elts
.
Definition
length
(
a
:
Type
)(
u
:
(
array
a
))
:
Z
:=
match
u
with
|
(
mk_array
length1
_
)
=>
length1
end
.
Implicit
Arguments
length
.
Definition
get1
(
a
:
Type
)(
a1
:
(
array
a
))
(
i
:
Z
)
:
a
:=
(
get
(
elts
a1
)
i
).
Implicit
Arguments
get1
.
Definition
set1
(
a
:
Type
)(
a1
:
(
array
a
))
(
i
:
Z
)
(
v
:
a
)
:
(
array
a
)
:=
match
a1
with
|
(
mk_array
xcl0
_
)
=>
(
mk_array
xcl0
(
set
(
elts
a1
)
i
v
))
end
.
Implicit
Arguments
set1
.
Definition
map_eq_sub
(
a
:
Type
)(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
))
(
l
:
Z
)
(
u
:
Z
)
:
Prop
:=
forall
(
i
:
Z
),
((
l
<=
i
)
%
Z
/
\
(
i
<
u
)
%
Z
)
->
((
get
a1
i
)
=
(
get
a2
i
)).
Implicit
Arguments
map_eq_sub
.
Definition
exchange
(
a
:
Type
)(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
))
(
i
:
Z
)
(
j
:
Z
)
:
Prop
:=
((
get
a1
i
)
=
(
get
a2
j
))
/
\
(((
get
a2
i
)
=
(
get
a1
j
))
/
\
forall
(
k
:
Z
),
((
~
(
k
=
i
))
/
\
~
(
k
=
j
))
->
((
get
a1
k
)
=
(
get
a2
k
))).
Implicit
Arguments
exchange
.
Axiom
exchange_set
:
forall
(
a
:
Type
),
forall
(
a1
:
(
map
Z
a
)),
forall
(
i
:
Z
)
(
j
:
Z
),
(
exchange
a1
(
set
(
set
a1
i
(
get
a1
j
))
j
(
get
a1
i
))
i
j
).
Inductive
permut_sub
{
a
:
Type
}
:
(
map
Z
a
)
->
(
map
Z
a
)
->
Z
->
Z
->
Prop
:=
|
permut_refl
:
forall
(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
)),
forall
(
l
:
Z
)
(
u
:
Z
),
(
map_eq_sub
a1
a2
l
u
)
->
(
permut_sub
a1
a2
l
u
)
|
permut_sym
:
forall
(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
)),
forall
(
l
:
Z
)
(
u
:
Z
),
(
permut_sub
a1
a2
l
u
)
->
(
permut_sub
a2
a1
l
u
)
|
permut_trans
:
forall
(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
))
(
a3
:
(
map
Z
a
)),
forall
(
l
:
Z
)
(
u
:
Z
),
(
permut_sub
a1
a2
l
u
)
->
((
permut_sub
a2
a3
l
u
)
->
(
permut_sub
a1
a3
l
u
))
|
permut_exchange
:
forall
(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
)),
forall
(
l
:
Z
)
(
u
:
Z
)
(
i
:
Z
)
(
j
:
Z
),
((
l
<=
i
)
%
Z
/
\
(
i
<
u
)
%
Z
)
->
(((
l
<=
j
)
%
Z
/
\
(
j
<
u
)
%
Z
)
->
((
exchange
a1
a2
i
j
)
->
(
permut_sub
a1
a2
l
u
))).
Implicit
Arguments
permut_sub
.
Axiom
permut_weakening
:
forall
(
a
:
Type
),
forall
(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
)),
forall
(
l1
:
Z
)
(
r1
:
Z
)
(
l2
:
Z
)
(
r2
:
Z
),
(((
l1
<=
l2
)
%
Z
/
\
(
l2
<=
r2
)
%
Z
)
/
\
(
r2
<=
r1
)
%
Z
)
->
((
permut_sub
a1
a2
l2
r2
)
->
(
permut_sub
a1
a2
l1
r1
)).
Axiom
permut_eq
:
forall
(
a
:
Type
),
forall
(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
)),
forall
(
l
:
Z
)
(
u
:
Z
),
(
permut_sub
a1
a2
l
u
)
->
forall
(
i
:
Z
),
((
i
<
l
)
%
Z
\
/
(
u
<=
i
)
%
Z
)
->
((
get
a2
i
)
=
(
get
a1
i
)).
Axiom
permut_exists
:
forall
(
a
:
Type
),
forall
(
a1
:
(
map
Z
a
))
(
a2
:
(
map
Z
a
)),
forall
(
l
:
Z
)
(
u
:
Z
),
(
permut_sub
a1
a2
l
u
)
->
forall
(
i
:
Z
),
((
l
<=
i
)
%
Z
/
\
(
i
<
u
)
%
Z
)
->
exists
j
:
Z
,
((
l
<=
j
)
%
Z
/
\
(
j
<
u
)
%
Z
)
/
\
((
get
a2
i
)
=
(
get
a1
j
)).
Definition
exchange1
(
a
:
Type
)(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
(
i
:
Z
)
(
j
:
Z
)
:
Prop
:=
(
exchange
(
elts
a1
)
(
elts
a2
)
i
j
).
Implicit
Arguments
exchange1
.
Definition
permut_sub1
(
a
:
Type
)(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
(
l
:
Z
)
(
u
:
Z
)
:
Prop
:=
(
permut_sub
(
elts
a1
)
(
elts
a2
)
l
u
).
Implicit
Arguments
permut_sub1
.
Definition
permut
(
a
:
Type
)(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
:
Prop
:=
((
length
a1
)
=
(
length
a2
))
/
\
(
permut_sub
(
elts
a1
)
(
elts
a2
)
0
%
Z
(
length
a1
)).
Implicit
Arguments
permut
.
Axiom
exchange_permut
:
forall
(
a
:
Type
),
forall
(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
(
i
:
Z
)
(
j
:
Z
),
(
exchange1
a1
a2
i
j
)
->
(((
length
a1
)
=
(
length
a2
))
->
(((
0
%
Z
<=
i
)
%
Z
/
\
(
i
<
(
length
a1
))
%
Z
)
->
(((
0
%
Z
<=
j
)
%
Z
/
\
(
j
<
(
length
a1
))
%
Z
)
->
(
permut
a1
a2
)))).
Axiom
permut_sym1
:
forall
(
a
:
Type
),
forall
(
a1
:
(
array
a
))
(
a2
:
(
array
a
)),
(
permut
a1
a2
)
->
(
permut
a2
a1
).
Axiom
permut_trans1
:
forall
(
a
:
Type
),
forall
(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
(
a3
:
(
array
a
)),
(
permut
a1
a2
)
->
((
permut
a2
a3
)
->
(
permut
a1
a3
)).
Definition
array_eq_sub
(
a
:
Type
)(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
(
l
:
Z
)
(
u
:
Z
)
:
Prop
:=
(
map_eq_sub
(
elts
a1
)
(
elts
a2
)
l
u
).
Implicit
Arguments
array_eq_sub
.
Definition
array_eq
(
a
:
Type
)(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
:
Prop
:=
((
length
a1
)
=
(
length
a2
))
/
\
(
array_eq_sub
a1
a2
0
%
Z
(
length
a1
)).
Implicit
Arguments
array_eq
.
Axiom
array_eq_sub_permut
:
forall
(
a
:
Type
),
forall
(
a1
:
(
array
a
))
(
a2
:
(
array
a
))
(
l
:
Z
)
(
u
:
Z
),
(
array_eq_sub
a1
a2
l
u
)
->
(
permut_sub1
a1
a2
l
u
).
Axiom
array_eq_permut
:
forall
(
a
:
Type
),
forall
(
a1
:
(
array
a
))
(
a2
:
(
array
a
)),
(
array_eq
a1
a2
)
->
(
permut
a1
a2
).
Definition
le
(
x
:
bool
)
(
y
:
bool
)
:
Prop
:=
(
x
=
false
)
\
/
(
y
=
true
).
Definition
sorted
(
a
:
(
array
bool
))
:
Prop
:=
forall
(
i1
:
Z
)
(
i2
:
Z
),
(((
0
%
Z
<=
i1
)
%
Z
/
\
(
i1
<=
i2
)
%
Z
)
/
\
(
i2
<
(
length
a
))
%
Z
)
->
(
le
(
get1
a
i1
)
(
get1
a
i2
)).
(
*
YOU
MAY
EDIT
THE
CONTEXT
BELOW
*
)
(
*
DO
NOT
EDIT
BELOW
*
)
Theorem
WP_parameter_two_way_sort
:
forall
(
a
:
Z
),
forall
(
a1
:
(
map
Z
bool
)),
let
a2
:=
(
mk_array
a
a1
)
in
forall
(
j
:
Z
),
forall
(
i
:
Z
),
forall
(
a3
:
(
map
Z
bool
)),
((
0
%
Z
<=
i
)
%
Z
/
\
((
j
<
a
)
%
Z
/
\
((
permut
a2
(
mk_array
a
a3
))
/
\
((
forall
(
k
:
Z
),
((
0
%
Z
<=
k
)
%
Z
/
\
(
k
<
i
)
%
Z
)
->
~
((
get
a3
k
)
=
true
))
/
\
forall
(
k
:
Z
),
((
j
<
k
)
%
Z
/
\
(
k
<
a
)
%
Z
)
->
((
get
a3
k
)
=
true
)))))
->
((
i
<
j
)
%
Z
->
(((
0
%
Z
<=
i
)
%
Z
/
\
(
i
<
a
)
%
Z
)
->
(((
get
a3
i
)
=
true
)
->
(((
0
%
Z
<=
j
)
%
Z
/
\
(
j
<
a
)
%
Z
)
->
((
~
((
get
a3
j
)
=
true
))
->
((((
0
%
Z
<=
i
)
%
Z
/
\
(
i
<
a
)
%
Z
)
/
\
((
0
%
Z
<=
j
)
%
Z
/
\
(
j
<
a
)
%
Z
))
->
forall
(
a4
:
(
map
Z
bool
)),
(
exchange
a3
a4
i
j
)
->
forall
(
i1
:
Z
),
(
i1
=
(
i
+
1
%
Z
)
%
Z
)
->
forall
(
j1
:
Z
),
(
j1
=
(
j
-
1
%
Z
)
%
Z
)
->
(
permut
a2
(
mk_array
a
a4
)))))))).
(
*
YOU
MAY
EDIT
THE
PROOF
BELOW
*
)
intuition
.
intuition
.
apply
permut_trans1
with
(
mk_array
a
a3
);
auto
.
apply
exchange_permut
with
i
j
;
auto
.
Qed
.
(
*
DO
NOT
EDIT
BELOW
*
)
examples/vstte12_two_way_sort/vstte12_two_way_sort_WP_TwoWaySort_WP_parameter_two_way_sort_2.v
deleted
100644 → 0
View file @
54f0afbe
(
*
This
file
is
generated
by
Why3
'
s
Coq
8.4
driver
*
)
(
*
Beware
!
Only
edit
allowed
sections
below
*
)
Require
Import
BuiltIn
.
Require
BuiltIn
.
Require
int
.
Int
.
Require
bool
.
Bool
.
Require
map
.
Map
.
Require
map
.
MapPermut
.
(
*
Why3
assumption
*
)
Definition
unit
:=
unit
.
(
*
Why3
assumption
*
)
Inductive
ref
(
a
:
Type
)
{
a_WT
:
WhyType
a
}
:=
|
mk_ref
:
a
->
ref
a
.
Axiom
ref_WhyType
:
forall
(
a
:
Type
)
{
a_WT
:
WhyType
a
}
,
WhyType
(
ref
a
).
Existing
Instance
ref_WhyType
.
Implicit
Arguments
mk_ref
[[
a
]
[
a_WT
]].
(
*
Why3
assumption
*
)
Definition
contents
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
v
:
(
@
ref
a
a_WT
))
:
a
:=
match
v
with
|
(
mk_ref
x
)
=>
x
end
.
(
*
Why3
assumption
*
)
Inductive
array
(
a
:
Type
)
{
a_WT
:
WhyType
a
}
:=
|
mk_array
:
Z
->
(
@
map
.
Map
.
map
Z
_
a
a_WT
)
->
array
a
.
Axiom
array_WhyType
:
forall
(
a
:
Type
)
{
a_WT
:
WhyType
a
}
,
WhyType
(
array
a
).
Existing
Instance
array_WhyType
.
Implicit
Arguments
mk_array
[[
a
]
[
a_WT
]].
(
*
Why3
assumption
*
)
Definition
elts
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
v
:
(
@
array
a
a_WT
))
:
(
@
map
.
Map
.
map
Z
_
a
a_WT
)
:=
match
v
with
|
(
mk_array
x
x1
)
=>
x1
end
.
(
*
Why3
assumption
*
)
Definition
length
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
v
:
(
@
array
a
a_WT
))
:
Z
:=
match
v
with
|
(
mk_array
x
x1
)
=>
x
end
.
(
*
Why3
assumption
*
)
Definition
get
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
i
:
Z
)
:
a
:=
(
map
.
Map
.
get
(
elts
a1
)
i
).
(
*
Why3
assumption
*
)
Definition
set
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
i
:
Z
)
(
v
:
a
)
:
(
@
array
a
a_WT
)
:=
(
mk_array
(
length
a1
)
(
map
.
Map
.
set
(
elts
a1
)
i
v
)).
(
*
Why3
assumption
*
)
Definition
make
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
n
:
Z
)
(
v
:
a
)
:
(
@
array
a
a_WT
)
:=
(
mk_array
n
(
map
.
Map
.
const
v
:
(
@
map
.
Map
.
map
Z
_
a
a_WT
))).
(
*
Why3
assumption
*
)
Definition
map_eq_sub
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
map
.
Map
.
map
Z
_
a
a_WT
))
(
a2
:
(
@
map
.
Map
.
map
Z
_
a
a_WT
))
(
l
:
Z
)
(
u
:
Z
)
:
Prop
:=
forall
(
i
:
Z
),
((
l
<=
i
)
%
Z
/
\
(
i
<
u
)
%
Z
)
->
((
map
.
Map
.
get
a1
i
)
=
(
map
.
Map
.
get
a2
i
)).
(
*
Why3
assumption
*
)
Definition
array_eq_sub
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
l
:
Z
)
(
u
:
Z
)
:
Prop
:=
((
length
a1
)
=
(
length
a2
))
/
\
(((
0
%
Z
<=
l
)
%
Z
/
\
(
l
<=
(
length
a1
))
%
Z
)
/
\
(((
0
%
Z
<=
u
)
%
Z
/
\
(
u
<=
(
length
a1
))
%
Z
)
/
\
(
map_eq_sub
(
elts
a1
)
(
elts
a2
)
l
u
))).
(
*
Why3
assumption
*
)
Definition
array_eq
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
:
Prop
:=
((
length
a1
)
=
(
length
a2
))
/
\
(
map_eq_sub
(
elts
a1
)
(
elts
a2
)
0
%
Z
(
length
a1
)).
(
*
Why3
assumption
*
)
Definition
exchange
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
i
:
Z
)
(
j
:
Z
)
:
Prop
:=
((
length
a1
)
=
(
length
a2
))
/
\
(((
0
%
Z
<=
i
)
%
Z
/
\
(
i
<
(
length
a1
))
%
Z
)
/
\
(((
0
%
Z
<=
j
)
%
Z
/
\
(
j
<
(
length
a1
))
%
Z
)
/
\
(((
get
a1
i
)
=
(
get
a2
j
))
/
\
(((
get
a1
j
)
=
(
get
a2
i
))
/
\
forall
(
k
:
Z
),
((
0
%
Z
<=
k
)
%
Z
/
\
(
k
<
(
length
a1
))
%
Z
)
->
((
~
(
k
=
i
))
->
((
~
(
k
=
j
))
->
((
get
a1
k
)
=
(
get
a2
k
)))))))).
(
*
Why3
assumption
*
)
Definition
permut
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
l
:
Z
)
(
u
:
Z
)
:
Prop
:=
((
length
a1
)
=
(
length
a2
))
/
\
(((
0
%
Z
<=
l
)
%
Z
/
\
(
l
<=
(
length
a1
))
%
Z
)
/
\
(((
0
%
Z
<=
u
)
%
Z
/
\
(
u
<=
(
length
a1
))
%
Z
)
/
\
(
map
.
MapPermut
.
permut
(
elts
a1
)
(
elts
a2
)
l
u
))).
(
*
Why3
assumption
*
)
Definition
permut_sub
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
l
:
Z
)
(
u
:
Z
)
:
Prop
:=
(
map_eq_sub
(
elts
a1
)
(
elts
a2
)
0
%
Z
l
)
/
\
((
permut
a1
a2
l
u
)
/
\
(
map_eq_sub
(
elts
a1
)
(
elts
a2
)
u
(
length
a1
))).
(
*
Why3
assumption
*
)
Definition
permut_all
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
:
Prop
:=
((
length
a1
)
=
(
length
a2
))
/
\
(
map
.
MapPermut
.
permut
(
elts
a1
)
(
elts
a2
)
0
%
Z
(
length
a1
)).
Axiom
permut_all_refl
:
forall
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
,
forall
(
a1
:
(
@
array
a
a_WT
)),
(
permut_all
a1
a1
).
Axiom
exchange_permut_all
:
forall
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
,
forall
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
i
:
Z
)
(
j
:
Z
),
(
exchange
a1
a2
i
j
)
->
(
permut_all
a1
a2
).
Axiom
permut_all_sym
:
forall
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
,
forall
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
)),
(
permut_all
a1
a2
)
->
(
permut_all
a2
a1
).
Axiom
permut_all_trans
:
forall
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
,
forall
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
a3
:
(
@
array
a
a_WT
)),
(
permut_all
a1
a2
)
->
((
permut_all
a2
a3
)
->
(
permut_all
a1
a3
)).
Axiom
array_eq_permut_all
:
forall
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
,
forall
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
)),
(
array_eq
a1
a2
)
->
(
permut_all
a1
a2
).
Axiom
permut_sub_weakening
:
forall
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
,
forall
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
l1
:
Z
)
(
u1
:
Z
)
(
l2
:
Z
)
(
u2
:
Z
),
(
permut_sub
a1
a2
l1
u1
)
->
(((
0
%
Z
<=
l2
)
%
Z
/
\
(
l2
<=
l1
)
%
Z
)
->
(((
u1
<=
u2
)
%
Z
/
\
(
u2
<=
(
length
a1
))
%
Z
)
->
(
permut_sub
a1
a2
l2
u2
))).
Axiom
permut_sub_permut_all
:
forall
{
a
:
Type
}
{
a_WT
:
WhyType
a
}
,
forall
(
a1
:
(
@
array
a
a_WT
))
(
a2
:
(
@
array
a
a_WT
))
(
l
:
Z
)
(
u
:
Z
),
(
permut_sub
a1
a2
l
u
)
->
(
permut_all
a1
a2
).
(
*
Why3
assumption
*
)
Definition
le
(
x
:
bool
)
(
y
:
bool
)
:
Prop
:=
(
x
=
false
)
\
/
(
y
=
true
).
(
*
Why3
assumption
*
)
Definition
sorted
(
a
:
(
@
array
bool
_
))
:
Prop
:=
forall
(
i1
:
Z
)
(
i2
:
Z
),
((
0
%
Z
<=
i1
)
%
Z
/
\
((
i1
<=
i2
)
%
Z
/
\
(
i2
<
(
length
a
))
%
Z
))
->
(
le
(
get
a
i1
)
(
get
a
i2
)).
(
*
Why3
goal
*
)
Theorem
WP_parameter_two_way_sort
:
forall
(
a
:
Z
)
(
a1
:
(
@
map
.
Map
.
map
Z
_
bool
_
)),
let
a2
:=
(
mk_array
a
a1
)
in
((
0
%
Z
<=
a
)
%
Z
->
forall
(
j
:
Z
)
(
i
:
Z
)
(
a3
:
(
@
map
.
Map
.
map
Z
_
bool
_
)),
let
a4
:=
(
mk_array
a
a3
)
in
(((
0
%
Z
<=
i
)
%
Z
/
\
((
j
<
a
)
%
Z
/
\
((
permut_all
a2
a4
)
/
\
((
forall
(
k
:
Z
),
((
0
%
Z
<=
k
)
%
Z
/
\
(
k
<
i
)
%
Z
)
->
((
map
.
Map
.
get
a3
k
)
=
false
))
/
\
forall
(
k
:
Z
),
((
j
<
k
)
%
Z
/
\
(
k
<
a
)
%
Z
)
->
((
map
.
Map
.
get
a3
k
)
=
true
)))))
->
((
i
<
j
)
%
Z
->
(((
0
%
Z
<=
a
)
%
Z
/
\
((
0
%
Z
<=
i
)
%
Z
/
\
(
i
<
a
)
%
Z
))
->
(((
map
.
Map
.
get
a3
i
)
=
true
)
->
(((
0
%
Z
<=
j
)
%
Z
/
\
(
j
<
a
)
%
Z
)
->
((
~
((
map
.
Map
.
get
a3
j
)
=
true
))
->
((((
0
%
Z
<=
i
)
%
Z
/
\
(
i
<
a
)
%
Z
)
/
\
((
0
%
Z
<=
j
)
%
Z
/
\
(
j
<
a
)
%
Z
))
->
forall
(
a5
:
(
@
map
.
Map
.
map
Z
_
bool
_
)),
let
a6
:=
(
mk_array
a
a5
)
in
(((
0
%
Z
<=
a
)
%
Z
/
\
(
exchange
a4
a6
i
j
))
->
forall
(
i1
:
Z
),
(
i1
=
(
i
+
1
%
Z
)
%
Z
)
->
forall
(
j1
:
Z
),
(
j1
=
(
j
-
1
%
Z
)
%
Z
)
->
(
permut_all
a2
a6
)))))))))).
(
*
Why3
intros
a
a1
a2
h1
j
i
a3
a4
(
h2
,(
h3
,(
h4
,(
h5
,
h6
))))
h7
(
h8
,(
h9
,
h10
))
h11
(
h12
,
h13
)
h14
((
h15
,
h16
),(
h17
,
h18
))
a5
a6
(
h19
,
h20
)
i1
h21
j1
h22
.
*
)
(
*
intros
a
a1
a2
h1
j
i
a3
(
h2
,(
h3
,(
h4
,(
h5
,
h6
))))
h7
(
h8
,(
h9
,
h10
))
h11
(
h12
,
h13
)
h14
((
h15
,
h16
),(
h17
,
h18
))
a4
(
h19
,
h20
)
i1
h21
j1
h22
.
*
)
(
*
YOU
MAY
EDIT
THE
PROOF
BELOW
*
)
intuition
.
intuition
.
apply
permut_all_trans
with
(
mk_array
a
a3
);
auto
.
apply
exchange_permut_all
with
i
j
;
auto
.
Qed
.
examples/vstte12_two_way_sort/why3session.xml
View file @
a8c13660
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
